I have created an application, which works for all the windows users (Local, AD, Azure etc). For every user, I'm storing some data inside HKEY_CurrentUer\TESTApp\ registry. Now in the custom credential provider (LOGINUI) once the user enters the credential Wants to read that user HKEY_{...}\TESTApp\ details to know more about the user.
I can successfully store user details in HKEY_CurrentUer\TESTApp\ registry and read details from HKEY_USERS\SID\TESTApp\ if he already login's in.
Now I have the following question,
Is it possible to do the same for not logged in or log out users using either username/SID?
Is there any other HKEY place where I can store the user details and can easily read using username/SID without admin permission? For now, I want to maintain the user details in the machine itself (no cloud).
At last, if the above two is not possible, can I create and read a file with key-pair values in my app workspace without any permission issue?
Since I'm new to windows app development, correct me if I'm doing wrong. THANKS in advance.
HKEY_USERS\SID will be created only after successfully logon on this machine and continue to reside after logout.
If you are talking about logon scenario for credential provider CPUS_LOGON means that your credential provider is working with highest privileges for application - as a SYSTEM user, and you can read and write practically everywhere.
Related
Wondering if Windows background service (system profile) is UNABLE to access user appData folder on win 10 using C++ ?
It seems Windows service does not load user profile by default as links below and wondering if it is same as win 10.
.net windows service local application data is different then in normal app
https://social.msdn.microsoft.com/Forums/windows/en-US/0e8892b2-a9ce-446d-a8ee-c37c0a217ddd/not-able-to-get-user-s-app-data-folder-when-using-windows-service?forum=winforms
AppData\Roaming folder in windows service project
Thanks
The SYSTEM account has full access to the local machine, so of course it can access any user's AppData folder. The trick will be in obtaining the path to a given user's AppData folder in the first place.
APIs exist for the very purpose of obtaining user-related folder paths, see SHGetFolderPath() and SHGetKnownFolderPath(), both of which take a user token as input. Services run in a separate session from users, and the SYSTEM account has its own profile in the Registry, so you can't use anything that depends on HKEY_CURRENT_USER of the calling process to query the paths, as it will query the SYSTEM's paths, not a user's paths. You need to obtain the token of the desired user you want to query.
If the target user is logged in, you can use WTSQueryUserToken() to get the user's token. You just need the user's session ID, which you can get from ProcessIdToSessionId() for any process running on the user's session, or you can use WTSEnumerateSessions() and WTSQuerySessionInformation() to find the session containing the desired user's login info (if there is more than 1 user logged in), or you can use WTSGetActiveConsoleSessionId() to get the session that is logged in and currently attached to the physical keyboard/mouse/monitor.
If the target user is not logged in, but you have the user's credentials, you can use LogonUser() to get the user's token. You can then use LoadUserProfile() to access the user's HKEY_CURRENT_USER Registry hive and query the "\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" subkey directly.
Otherwise, you are pretty such SOL, unless you happen to know the user's SID, in which case you can enumerate the HKEY_USERS Registry hive looking for that SID, and then you can query the "\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" subkey directly.
So I know it is really BAD PRACTICE to store a users password in cleartext (even encrypted)....But here is my problem.
I am developing an in-house automation web-app using django as my backend and users login using their LDAP credentials. My app interacts with several 3rd party applications (Jira, Jenkins, Gitlab) that also use ldap credentials for user authentication. I would also like the ability to write to the users (linux) file system from the server (saving generated scripts).
What are my options?
The only one i have though of is to encrypt the password when user logs in and store that in the django session. Encryption and decryption keys will be generated per session and saved using django's sessions. The password will be decrypted whenever a password is needed but it will never be saved as clear text
*Obviously the user will need to concent to this method
Any other ideas?
If we're saying about logging into user's account using SSH, you can use public/private keys to do that. When user logs in, use his password for connecting to his account and create here authorized_keys file (or edit existing one) inside ~/.ssh directory. That way you will have access to SSH later.
Additionally, you can create some scripts that will handle that filesystem changes on root level.
I know that Jira and Gitlab can use OAuth and I'm pretty sure Jenkins understands that also. So you might be able to generate an OAuth-Token for the user on login (when you have the password in cleartext) for those systems and then use that token without the need to store the password.
Regarding the SSH-Access #GwynBleidD already gave a good answer.
I have an application that is run on multiple user systems, and using OAuth, allows the users to log in via Facebook, Twitter, etc. The entire point of the user logging in is to get settings and actions that the same user made while logged in on other computers, as identified by logging in with the same OAuth provider + provider user id. The application itself is written in C++ using Qt.
My question is this: how can I save the settings that a user made, and allow them to retrieve it in a secure way? I have a centralized server that I can store information using MySql tables, but I'm not sure the best way to have the user application prompt the server, and receive the data stored for that user.
Any ideas or places you could point me towards?
There are several ways I could think of with this, all have trade offs:
Generally I would store the data in mysql using some kind of string or object encryption/serialization method. I do not use Qt much but http://qt-project.org/wiki/Simple_encryption has some examples of very simple encryption that could be used.
Then the question becomes: What do you use as the key? I would go either with the key provided by OAuth for that user (which could be an issue if users de-authorize the app but still want access to this data) or some other user provided key (which is counter to using OAuth in the first place).
Another option is to go with Qt Users session http://qt-project.org/doc/qt-4.8/qtwebkit-guide-cache.html
This would maybe remove the need to encrypt since it should only be accessible within the users scope.
NOTE: Based on comments below it seems the issue is more about securing communication with the MySQL versus the data inside of MySQL. Waiting on user comments to revise my answer.
On this page, it talks about Windows NT, 2000, XP and 2003. Fortunately, I have a Windows 7 machine.
The very first line says:
In User Manager for Domains, create a local user for the ColdFusion
service to log in as.
I don't see a "User Manager for Domains", so do they mean just "Add a new user"?
If it DOES mean that, can I use my own user account as the ColdFusion user, or should I specifically create a new account just for ColdFusion?
If you are creating a domain account it has to be created ON the domain - using user manager for domains connected to your domain controllers. If that's what you need then a sys admin has to help.
If you are doing a "local" user on a windows 7 I always end up hunting around for the right view of user manager before I get it right :) Here are the steps that I use:
Search from start and open the "user accounts" cpl.
Click on "Manage User Accounts"
Click on the "advanced" tab
Click on the "advanced" buttton.
This takes me to the mmc-like view of users that I'm accustomed to where I can add a user, change membership, set passwords etc.
Hope this helps :)
You can use your own username or you can create one for CF to run as. Creating a user to run CF as probably more closely replicates your production environment ( an assumption ) so if production for example writes to a UNC path the coldfusion user must have acces. You could
Mimic this locally.
You can use either an account local to the OS where ColdFusion is running, or a domain account if the OS is joined to a domain. In your case, you can just create a local user on your Windows 7 OS and run the ColdFusion Application Service as that user. The user account will need access to ColdFusion's installation folder, as well as read access to the webroot.
The whole idea is to run the ColdFusion service as a user with the minimum privileges necessary to handle requests and prevent access to other resources in the event of a data breach or remote code execution (e.g. someone exploits an upload form and manages to get their own CF code to run on your server; it's not pretty but can be somewhat restricted by running the CF service under a user account with restricted access).
As someone else mentioned, if CF needs access to other network resources, the user account will need to be granted access to those resources as well (either by using a domain account or having a local account with the same username and password on the remote system).
Just did this on Windows 2008 R2 with CF 10. The trick was to change the ownership of the c:\windows and c:\windows\system32 directories as outlined here.
change ownership from trustedInstaller
I am designing a Service to run under LocalSystem account on Win2000, XP and Vista. It will need access to users registry hives, sometimes for extended periods of time, both when the users are logged-in, and also, when they are not logged-in (IF the profile is local. If the profile is Roaming and not loaded, I will not attempt to load it.)
If the user is logged-on, I can get the Users access token by various means (E.g. from its Explorer process, or by receiving Logon events from the Service Control Manager) then use ImpersonateLoggedOnUser and RegOpenCurrentUser to access the User's hive. However, what are the implications if the User selects LogOff from the start menu while I am impersonating and have his hive open? Will the logoff be prevented? Will my impersonation be terminated?
If the user is not logged on, I can use RegLoadKey to directly open the hive NTUSER.DAT. (Impossible for a logged-on user). But what are the implications of this if the user decides to log-on (I suppose the hive will be locked and the logon either prevented, or may experience difficulty?)
I will be setting up some test projects to explore these ideas however, regardless of their apparent results, these questions are theoretical in terms of what type of problems might, or would, be caused by the user loggin in/out during these actions by the service.
Caveat: ImpersonateLoggedOnUser can ONLY be used either for a logged-on user (token obtained from process or SCM event) OR for a user for which I have the plaintext password to call WinLogon and obtain a token - TRUE / FALSE ? In other words although I have maximum permissions as LocalSystem and am able to change the user's password or even delete the user's account, if the user is not logged-on, it is totally impossible to create a new token to impersonate the user without having the the password?
Apparently, there is some risk of damaging a user's profile if it is already loaded by another process when the user logs in. In that case, the system will try to create a new subdirectory for the user.